Add --seccomp flag to ctr

crosbymichael · crosbymichael · commit 779701b29c8e · 2019-08-29T13:02:21.000-04:00
This enables testing of containers with the default seccomp profile

Signed-off-by: Michael Crosby &lt;crosbymichael@gmail.com&gt;
diff --git a/cmd/ctr/commands/commands.go b/cmd/ctr/commands/commands.go
@@ -130,6 +130,10 @@ var (
 			Name:  "device",
 			Usage: "add a device to a container",
 		},
+		cli.BoolFlag{
+			Name:  "seccomp",
+			Usage: "enable the default seccomp profile",
+		},
 	}
 )
 
diff --git a/cmd/ctr/commands/run/run_unix.go b/cmd/ctr/commands/run/run_unix.go
@@ -26,6 +26,7 @@ import (
 	"github.com/containerd/containerd"
 	"github.com/containerd/containerd/cmd/ctr/commands"
 	"github.com/containerd/containerd/contrib/nvidia"
+	"github.com/containerd/containerd/contrib/seccomp"
 	"github.com/containerd/containerd/oci"
 	"github.com/containerd/containerd/platforms"
 	"github.com/opencontainers/runtime-spec/specs-go"
@@ -126,6 +127,9 @@ func NewContainer(ctx gocontext.Context, client *containerd.Client, context *cli
 		if context.Bool("net-host") {
 			opts = append(opts, oci.WithHostNamespace(specs.NetworkNamespace), oci.WithHostHostsFile, oci.WithHostResolvconf)
 		}
+		if context.Bool("seccomp") {
+			opts = append(opts, seccomp.WithDefaultProfile())
+		}
 
 		joinNs := context.StringSlice("with-ns")
 		for _, ns := range joinNs {
diff --git a/contrib/seccomp/seccomp.go b/contrib/seccomp/seccomp.go
@@ -1,5 +1,3 @@
-// +build linux
-
 /*
    Copyright The containerd Authors.
 
diff --git a/contrib/seccomp/seccomp_default_unsupported.go b/contrib/seccomp/seccomp_default_unsupported.go
@@ -0,0 +1,26 @@
+// +build !linux
+
+/*
+   Copyright The containerd Authors.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+package seccomp
+
+import specs "github.com/opencontainers/runtime-spec/specs-go"
+
+// DefaultProfile defines the whitelist for the default seccomp profile.
+func DefaultProfile(sp *specs.Spec) *specs.LinuxSeccomp {
+	return &specs.LinuxSeccomp{}
+}

Original file line number	Diff line number	Diff line change
`@@ -130,6 +130,10 @@ var (`
`130`	`130`	`Name: "device",`
`131`	`131`	`Usage: "add a device to a container",`
`132`	`132`	`},`
	`133`	`+ cli.BoolFlag{`
	`134`	`+ Name: "seccomp",`
	`135`	`+ Usage: "enable the default seccomp profile",`
	`136`	`+ },`
`133`	`137`	`}`
`134`	`138`	`)`
`135`	`139`
Original file line number	Diff line number	Diff line change
`@@ -1,5 +1,3 @@`
`1`		`-// +build linux`
`2`		`-`
`3`	`1`	`/*`
`4`	`2`	`Copyright The containerd Authors.`
`5`	`3`